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We prove the unconditional security of the standard six-state scheme for quantum key distribu- 
tion (QKD). We demonstrate its unconditional security up to a bit error rate of 12.7 percents, by 
allowing only one-way classical communications in the error correction/privacy amplification pro- 
cedure between Alice and Bob. This shows a clear advantage of the six-state scheme over another 
standard scheme — BB84, which has been proven to be secure up to only about 11 percents, if only 
one-way classical communications are allowed. Our proof technique is a generalization of that of 
Shor-Preskill's proof of security of BB84. We show that a advantage of the six-state scheme lies 
in the Alice and Bob's ability to establish rigorously from their test sample the non-trivial mutual 
information between the bit-fiip and phase error patterns. A modified version of the degenerate 
quantum codes studied by DiVincenzo, Shor and Smolin is employed in our proof. 



PACS Numbers: 

I. BB84 

Whereas conventional cryptography is often based on 
some unproven computational assumptions, the security 
of quantum key distribution is guaranteed by the 
fundamental laws (particularly the uncertainty principle) 
of quantum mechanics. The best-known quantum cryp- 
tographic application is quantum key distribution (QKD) 
whose goal is to allow two persons, Alice and Bob, to 
communicate in perfect security in the presence of an 
eavesdropper. Eve. 

A number of years had passed before rigorous and con- 
vincing proofs of security against the most general attack 
finally appeared. Mayers and subsequently others 
| p2t have proven the security of the standard Bennett and 
Brassard's BB84 scheme a scheme that is closer to 
a realistic experimental situation. Unfortunately, those 
proofs are rather complex. A proof by Lo and Chau 
1^ has the advantage of being conceptually simple, but 
it requires a quantum computer to implement. Their 
proof built on earlier work on quantum privacy amplifi- 
cation and has subsequently been further simplified 
pO| . Recently, Shor and Preskill have proposed a 
simple proof of security of BB84 by combining and gen- 
eralizing the insights in Lo and Chan's [|j and Mayers' 
PI proofs. Their proof also extends the tolerable error 
rate of BB84 from about 7 percents set by Mayers' proof 



to about 11 percents. [] 

Other QKD schemes have also been proposed.^ A no- 
table example is the six-state scheme proposed by Bruss 
|]l6| . Recently, a proof of security of the six-state scheme 
has been proposed by Inamori jT^], which, unlike Shor 
and Preskill's proof of security of BB84, requires two- 
way classical communications between Alice and Bob. 

Until now, it was not obvious how to generalize the 
proof technique of Shor-Preskill's proof, which requires 
only one-way classical communications, to the six-state 
scheme. The main goal of this paper is to provide pre- 
cisely such a simple proof of security for the six-state 
using Shor and Preskill's approach. Our result shows 
that, using only one-way classical communication, six- 
state QKD scheme can be made secure up to an error rate 
of about 12.7 percents. This is higher than the value of 
about 11 percents in the case of Shor-Preskill's result in 
BB84, thus demonstrating the advantage of the six-state 
scheme over BB84. Our proof also clarifies the symmetry 
structure employed in Shor and Preskill's proof. 

A key idea of Shor-Preskill's proof is reduction: Instead 
of tackling the security of BB84 directly, they took an in- 
direct path. They constructed a QKD scheme that em- 
ploys entanglement purification (i.e., it requires a quan- 
tum computer to implement) and showed that such a 
scheme is secure. Then, they showed that the security 
of such an entanglement-purification-based QKD scheme 
implies the security of BB84. In their proof, the bit-flip 
and phase errors of the underlying entanglement purifi- 



* Quantum cryptography, but not quantum key distribution 
per se, was invented by Stephen Wiesner around 1970 in a pa- 
per that remained unpublished until 1983 Quantum key 
distribution is experimentally the most advanced subfield of 
quantum information processing. Photons have been trans- 
mitted over about 50km of commercial Telecom fibers ^ and 
over 1km of open air [R. 



^Mayers' proof also permits the same extension. 

*For instance, an efficient four state scheme has been pro- 
posed and its unconditional security was proven in ||l^. Be- 
sides, the security of a continuous variable (squeezed state) 
QKD scheme has been proven by Gottesman and Preskill |l3] 
using the same approach of Shor and Preskill's proof. 
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cation protocol may be totally uncorrelated. Therefore, 
in the worst case situation, the bit-flip error syndromes 
tell the two users nothing about the phase errors. 

In this paper, we will follow Shor-Preskill's approach 
for the case of a six-state QKD scheme. We see a clear 
advantage of the six-state scheme over BB84: As will 
be discussed in subsequent sections, for the six-state 
scheme, one can show that in the corresponding under- 
lying entanglement-purification-based QKD scheme, the 
bit-flip and phase errors are corre^aierf.^ In other words, 
the bit-flip error syndromes can be used to reduce the 
conditional entropy of the phase error pattern. This re- 
duction in conditional entropy makes the task of entan- 
glement purification easier and allows us to establish the 
security of the six-state scheme up to an error rate of 12.7 
percents. 

This paper is organized as follows. In Section 2, we 
review Shor-Preskill's proof. In Section 3, we study the 
differences between BB84 and the six-state scheme, em- 
phasizing the ability by Alice and Bob to establish the 
correlations between the bit-flip and phase error patterns 
in the six-state scheme, but not in BB84. In Section 4, 
our protocol for secure six-state QKD scheme is given. 
Section 5 contains various concluding remarks. 

II. SHOR-PRESKILL'S PROOF 

In this section, we shall recapitulate briefly Shor and 
Preskill's proof of security of BB84. A nice review of 
Shor and Preskill's proof can be found in the early sec- 
tions of Readers who are familar with the subject 
can skip this section. Before we go to the specifics, we 
should first review the three major ingredients of their 
proof: entanglement purification, classicalization (i.e., 
quantum to classical reduction) and CSS codes. 

A. Entanglement purification 

Entanglement purification was first studied by Ben- 
nett, DiVincenzo, Smolin and Wootters and its usage 
in QKD was first proposed by Deutsch et al. Sup- 
pose Alice prepares n EPR pairs and sends the half of 
each pair to Bob through a channel controlled by Eve. 
Because of Eve's interference, the n EPR pairs are now 
noisy. However, Alice and Bob can purify from the n 



imperfect pairs a smaller number, say m, perfect EPR 
pairs, provided that the channel is not too noisy. 

B. Classicalization 

A key question remains: how can one verify that the 
channel is, indeed, not too noisy? This is not entirely 
trivial because noise pattern of the channel is controlled 
by Eve and does not have to be independent. More- 
over, the Einstein-Podolsky-Rosen paradox tells us that 
it would be too naive to apply classical arguments blindly 
to a quantum problem. This is where the classicalization 
(quantum to classical reduction) idea of Lo and Chau j|] 
comes in. 

The key idea is "commuting observables" , i.e., one 
should focus on observables that commute with each 
other. For those observables, it is consistent to assign 
probabilities to their simultaneous eigenstates and study 
those probabilities by classical probability theory, partic- 
ularly classical random sampling theory. This leads to 
substantial simplification of the original quantum prob- 
lem. [This "commuting observables" idea is the essence 
of the stabilizer formalism of Gottesman and Calder- 
bank et al. [|||.] 

More concretely, Alice and Bob can figure out the error 
rate of the two (rectilinear or diagonal) bases by random 
sampling. That is to say that, for each basis, Alice and 
Bob select a random subset of test EPR pairs and com- 
pare their polarizations of the two halves of a pair to see 
if they agree. Mathematically, this is equivalent to mea- 
suring the either operator XX and ZZ, where X and Z 
are respectively the Pauli matrices, ax and cr^. The key 
observation here is that XX commutes with ZZ. There- 
fore, the commuting observables idea indeed applies and 
probabilities to the simultaneous eigenstates can be as- 
signed to Alice and Bob's state. 

With the above two ingredients — entanglement purifi- 
cation and classicalization, one can prove the security of 
QKD by intuitive classical argument 1^. Nonetheless, 
the resulting protocols still require quantum computers 
to implement. This is because a general entanglement 
purification protocol requires a quantum computer for 
its implementation. It is the following insight of Shor 
and Preskill jl^ that allows one to implement a secure 
QKD scheme without a quantum computer. 

C. CSS codes 



^As shown in subsequent sections, the six-state QKD scheme 
can be made symmetric with respect to all three bases, X, Y 
and Z. In the language of entanglement purification, this 
corresponds to a so-called depolarizing channel. Therefore, 
the bit-flip and phase errors are, indeed, correlated. 



Their proof makes essential use of the Calderbank- 
Shor-Steane (CSS) code. The CSS code has the useful 
property that the error correction procedure for the phase 
error is decoupled from that for the bit-flip error. Clearly, 
bit-clip error correction is important to ensure that Al- 
ice and Bob do share a common key. However, Shor and 
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Preskill made the following important observation: Since 
phase errors will not change the bit value of their final 
key anyway, Alice and Bob have the liberty of dropping 
the whole phase error correction procedure altogether. 
This is the fundamental reason why they can implement 
a CSS code-based QKD scheme without a quantum com- 
puter. General quantum error correcting codes can also 
be used for QKD, but it is unclear how to implement 
those QKD schemes without a quantum computer. 

Even though the phase error correction procedure is 
dropped in BB84, it is, nonetheless, important that the 
phase error is, in principle, correctable by the underly- 
ing quantum error correcting code because only then can 
security be guaranteed by the quantum no-cloning the- 
orem. In other words, Alice and Bob do not need to 
perform phase error correction. The very fact that Al- 
ice and Bob could perform phase error correction (if they 
had quantum computers) would be enough to guarantee 
security of QKD. The phase error correction procedure 
reduces the eavesdropper's information on the key to an 
exponentially small amount in terms of some security pa- 
rameters. In other words, the phase error correction is 
used for privacy amplification, whereas the bit-fiip error 
correction is used for error correction. The remenant of 
the phase error correction procedure is a "coset extrac- 
tion" procedure. This point has been emphasized in jT^ ] 
and will be recapitulated below. 



D. Notation 

Having introduced the above three major ingredients, 
we shall give more specifics of the Shor-Preskill's proof. 
We shall mostly use the notations in For each qubit, 
we use a canonical basis, |0) and Define also the 
basis, \+) and |-), where |+) = ^(|0) + |1)) and |-) = 
-^(|0) — |1)). The Hadamard transform, iJ, is a single 
qubit unitary transformation of the form: 



H 



1 



1 1 

1 -1 



(1) 



in the canoncial basis. It interchanges the bases |0), |1) 
and |+>, |->. 

Let us also introduce Pauli matrices, 



1 

1 



-i 

1 



1 

-1 



(2) 



In what follows, we may simplify our notation and denote 
the three Pauli matrices simply by X, Y and Z. 

The Bell basis is an orthogonal basis for the quantum 
state of two qubits. It has basis vectors. 
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*± = — (|01)±|10)), 
$± = i=(|00)±|ll)). 



(3) 
(4) 



1. CSS codes 

Let us consider two classical binary codes, Ci and C2, 
such that. 



{0} C C2 C Ci C F^, 



(5) 



where F2 is the binary vector space of the n bits and 
that both Ci and C^, the dual of C2 can correct up to t 
errors. A basis for the CSS code can be found as follows. 
For each v G Ci, define the vector 



1 



IC2II/2 



(6) 



WI£C2 



Notice that vi and V2 give the same vector whenever 
vi — V2 e C2. In other words, the codeword of the CSS 
code corresponds to the coset of C2 in Ci . Let Hi be the 
parity check matrix for the code Ci and H2 for . 



E. Secure QKD based on entanglement purification 

Let us recapitulate the key point of Shor-Preskill's 
proof. As a starting point of their paper, they |]l3| proved 
the security of the following QKD scheme: 

Protocol 1 (in fill): Modified Lo-Chau 

(0) Alice and Bob decide on a large positive integer 
n, a CSS code and a maximal number Cmax of check bit 
errors that they tolerate in the protocol. 

(1) Ahce prepares 2n EPR pairs in the state ($+)^". 

(2) Alice picks a random 2n-bit string b and applies a 
Hadamard transform H on the second half of each EPR 
pair for which (the component of) 6 is 1. 

(3) Alice sends the second halves of the EPR pairs to 
Bob. 

(4) Bob receives the qubits and publicly acknowledges 
the completion of his reception. 

(5) Alice selects randomly n of the 2n EPR pairs to 
serve as check bits to test for the eavesdropper, Eve,'s 
eavesdropping. 

(6) Alice announces the bit string b and which n EPR 
pairs are to be used as check bits. 

(7) Bob performs a Hadamard transform on the qubits 
where (the component of) 5 is 1. 

(8) Alice and Bob each measure their halves of the 
n check EPR pairs in the |0), |1) basis and broadcast 
their results. If more than Cmax check bits disagree, they 
abort. Otherwise, they proceed to the next step. 

(9) Alice and Bob each measure ctIT' for each row r e 

\r] 

Hi and for each row r e i/2 ■ They broadcast their 
results. Bob transforms his state accordingly to obtain 
m nearly perfect EPR pairs. 

(10) Alice and Bob measure the EPR pairs in the |0), 
|1) basis to obtain a shared secret key. 
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Remark: As discussed by Shor and Preskill, Alice 
should also scramble the qubits by a random permutation 
before sending them to Bob. Such a scrambling extends 
the tolerable error rate from about 7 percents set by May- 
ers to about 11 percents in Shor-Preskill's proof. We 
shall assume that this is done. 

The above protocol consists of two steps: a) verifica- 
tion and b) privacy amplification/error correction. In 
step a), Alice and Bob verify by random sampling that 
the error rate of the transmission is smaller than some 
prescribed value. Otherwise, they abort. In step b), Al- 
ice and Bob employ the property of CSS code to correct 
up to t errors and obtain privacy. 

One can calculate the probability that the test on the 
check bits is passed and yet the entanglement purification 
procedure on the code bit fails. Since Eve does not know 
which qubits are used as check bits and which as code 
bits, she cannot treat them differently. In other words, 
the check bits provide a random sample of all the bits. 
Moreover, since all relevant measurements refer to the 
Bell-bases and thus commute with each other, one can 
apply a classical random sampling argument to estimate 
the number of errors. By choosing an appropriate CSS 
code and Cmax, one can ensure that this probability is 
exponentially small in n. The readers should refer to 
for details. 



F. Reduction to a quantum error-correcting code 
protocol 

Now, the above entanglement purification protocol 
only involves one-way communication from Alice to Bob. 
It has been shown [ p8| that any one-way purification 
protocol can be reduced to a quantum error-correcting 
code protocol, i.e., Instead of Alice preparing EPR pairs 
and sending halves to Bob, Alice prepares an encoded 
quantum state with a quantum error correcting code and 
sends it to Bob. 

More concretely, suppose Alice and Bob start with n 
perfect EPR pairs. Suppose in step (9) Alice measures 

frl \r] 

the eigenvalues of az for each row r G Hi and for 
each row r g H2 and obtains the results, x and z respec- 
tively. Her measurement will project the state of Bob into 
the CSS codespace Qx^z, which has basis vectors indexed 
by the coset of C2 in Ci . For w <E Ci , the corresponding 
codeword is given by 



1 



IC2II/2 



weC2 



I) 



(7) 



The index, x, and z, defines a family of CSS codes, 
Qx,z, with equivalent error correcting capability. In other 
words, each of them can correct up to t phase errors and 
t bit-flip errors. 



Also, Alice may measure her half of the EPR pair be- 
fore or after transmission. If she measures first, it will 
be the same as she has chosen a random raw key k and 
encoded it by Q^.z (i.e., take v — k in Eq. (|^)). 

G. Reduction to BB84 

The property of CSS codes is used in the reduction 
from a quantum error correcting code protocol to BB84. 
Recall that the bit-flip and phase error correction proce- 
dures decouple in a CSS code. What if Ahce and Bob 
simply drop the phase error correction procedure? The 
resulting protocol is essentially BB84! 

More concretely, since Bob does not really need the 
phase error syndrome z to extract the value of the shared 
key, there is no reason for Alice to send it. Let us now 
consider the case when Alice has obtained a value k for 
the raw key and does not send z. We can take the average 
density matrix of Bob, over all values of z, thus obtaining: 

X \k + wi + x) {k + W2 + x\ 



- IC2I S 



wee 2 



w 



-x){k- 



w - 



-x\ 



(8) 



This gives rise to a classical mixture of the states, 
\k + w -\- x) with w randomly chosen from C2. Math- 
ematically, the key extraction procedure is the same as 
the following classical error correction/privacy amplifica- 
tion procedure: Alice sends a random string v to Bob 
and later broadcasts u -\- v where m is a random string 
in Ci. The key is then the coset, u -f C2, of C2 in Ci. 
Bob receives a corrupted string v + e. He then substracts 
Alice's broadcast string u + v from his string to obtain 
u ~\- e. He corrects errors to find u in Ci. He then finds 
the final key to be m -|- C2, which is a coset of C2 in Ci. 



III. BB84 VS SIX-STATE SCHEME 

Let us look at Shor-Preskill's proof of security of BB84 
more closely by re-examining their underlying entangle- 
ment purification protocol (EPP), Protocol 1. Recall 
from subsection [I B that one can employ the commuting 
observable idea and only be concerned with probabilities 
of their simultaneous eigenstates. In such a description, 
one only considers the diagonal entries of the density ma- 
trix with respect to the Bell-basis. Furthermore, in the 
large N limit (where TV is the number of pairs of qubits), 
by random sampling, one should only be concerned with 
the average density matrix. Therefore, one can reduce 
the whole problem of purification of a general iV-pair 
state in QKD to the problem of purification of an ensem- 
ble of N identical Bell-diagonal states. In what follows, 
we will see that the four entries in the density matrix 
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have interpretations in terms of the probabilities of a) no 
error, b) a bit-flip error, but no phase error, c) a phase 
error, but no bit-flip error and d) both bit-flip and phase 
errors. A natural question to ask is: What are the corre- 
lations between the bit-flip and phase errors? 

We will now show that in Protocol 1, the bit-flip and 
phase errors can be totally uncorrelated. In the language 
of commuting observables and in the limit of large num- 
ber of pairs, let us denote the effective density matrix 
by: 

diag(a,h,c,d). (9) 

Here, we use the Bell-basis as in the notations of . 
(See also Eqs. (||) and (||).) Now, the action of the 
Hadamard transform in Eq. (|l|) will permute the four 
matrix elements of Eq. (||) into: 

diag{a,c,b,d). (10) 

In Step 2 of Protocol 1, one applies randomly either 
the identity or the Hadamard. Averaging over the two 
cases: a) Identity and b) Hadamard, we flnd that the 
effective average density matrix shared by Alice and Bob 
after Step is of the form: 

diag{a, {h -f c)/2, (6 + c)/2, d) ~ diag{a, e, e, d), (11) 

where we define e — {b -\- c)/2. 

As remarked earlier, the four entries represent, for each 
shared pair between Alice and Bob, the four physical pos- 
sibilities respectively: a) No error; b) bit-flip error, but 
no phase error; c) phase error, but no bit-flip error; and 
d) both bit-flip error and phase error. See, for example, 
||18| for details. In the random sampling procedure — 
Steps (5)-(8), the sample bit error rate found by Alice 
and Bob will be approximately e + rf. Q This leaves d 
unconstrained in Shor-Preskill's proof of security of BB84 
scheme. The implication is that Alice and Bob cannot 
possibly know of the correlations between the bit- flip and 
the phase error. This is a serious limitation of the BB84 
scheme. In the worst case situation, the bit-flip and phase 
error are independent. This corresponds to the values, 
e = {h + c)/2 = p{l—p) and d = p'^ for some < p < ij^ 



**We remark that, owing to the symmetry between the two 
bases, only a single bit error rate of the sample is required 
to establish the security of the Shor-Preskill's procedure. In 
other words, there is no need to employ a refined data analysis 
studied in Q . 

Owing to symmetrization by the Hadamard transform, two 
of the diagonal entries in Eq. ( pd| ) are the same. This means 
that the probability of having a bit-flip error but no phase 
error is the same as that of having a phase error but no bit-flip 
error. Now, suppose the two types of errors are independent. 
They must occur independently with the same probability p. 
This means that e — p{l — p) and that d = p'^ , as stated in 
the main text. 



Let us now consider the six-state scheme. We will now 
show that the situation there is completely different. In- 
deed, we will establish that, for the six-state scheme, the 
density matrix is that given by a depolarizing channel 
and as such does have correlations between bit-flip and 
phase errors. It is this correlations between bit-flip and 
phase errors that will give the six-state scheme an advan- 
tage over BB84. 

As an analog of the Hadamard transform, which sym- 
metrizes between the two bases — X and Z — in BB84, 
in the six-state scheme we look for a symmetry operator 
that will symmetrize between the three bases — A", Y and 
Z. We flnd the operator (see, e.g., Eq. (15) of (l^.) 

which cyclically permutes the three bases, i.e., 

T : X ^ Z ^ X. (13) 

Suppose we apply either i) the identity operator; or ii) 
T; or iii) with equal probability to the density matrix 
shown in Eq. ^. The average density matrix becomes 

diag{a, {h + c + d)/3, {h + c + d)/'i,{b + c + d)/3), (14) 

which is totally symmetric with respect to the three 
bases, A, Y and Z. This shows that the channel is effec- 
tively a depolarizing channel jl^] . More importantly, the 
above four entries again represent the four possibilities: 
a) No error; b) bit-flip error, but no phase error; c) phase 
error, but no bit-flip error; and d) both bit-flip error and 
phase error. This implies that there are non-trivial cor- 
relations between bit-flip and phase errors. 

Such non-trivial correlations can be exploited to design 
a six-state error correction/privacy amplification proto- 
col that tolerates a higher error rate than Shor-Preskill's 
protocol for BB84. The key point is that, the bit-flip 
error pattern and the phase error pattern are no longer 
independent in the six-state scheme. Therefore, given 
the same bit error rate, the actual entropy of the density 
matrix is smaller in the case of the six-state scheme, as 
compared to the worst case situation in BB84. 

More concretely, for the n imperfect EPR pairs shared 
by Alice and Bob, let us denote by the variable X , the 
phase error pattern and by Z, the bit-flip error pattern. 
Now, the entropy of the whole error pattern is given by 

H{X,Z)^H{X)+H{Z)~I{X-Z). (15) 

The fact that the phase and bit-flip error patterns are 
correlated means that I{X\Z) > 0. Consider now the 
following strategy of quantum error correction. 

Subrountine A: Modified "random" hashing 
procedure with CSS codes 

(I) Alice and Bob apply a random hashing code on 
the Z variable only to identify the bit-flip error pattern. 
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Note that (slightly more than) H{Z) rounds of random 
hashing is needed. 

(II) Alice and Bob use the information on the bit-flip 
error pattern to reduce their ignorance on the phase error 
pattern from H{X) to H{X\Z) = H{X) - I{X;Z) ^ 
H{X,Z) - H{Z). 

(III) Alice and Bob apply a random hashing code on 
the X variable only to identify the phase error pattern. 
Note that only (slightly more than) H{X,Z) - H{Z) 
rounds of random hashing is needed. 

Remark: Bennett, DiVincenzo, Smolin and Wootters 
(BDSW) have studied a random hashing scheme in 
entanglement purification. Our random hashing code is 
analogous, except that we restrict our attention to CSS 
codes. Therefore, in (I), all the operators are chosen to be 
tensor products of Z operators only and in (III), X oper- 
ators only. Nonetheless, in the asymptotic limit of large 
number of pairs, our scheme is equally efficient as the 
original random hashing scheme by BDSW. In BDSW, 
it was shown that the scheme gives non-zero rate of dis- 
tilled entanglement when the fidelity / > 0.81071. Since 
/ = 1 — 3p/2 for a depolarizing channel, this corresponds 
to a bit error rate of about 12.6 percents. 

Remark: By adopting a modified version of the 
DiVincenzo-Shor-Smolin code |2^, a slightly higher er- 
ror rate of about 12.7 percents can be tolerated in the 
six-state scheme. DSS code consists of the concate- 
nated of a non-random (cat) code with random hash- 
ing code. It is one of the few examples of a so-called 
degenerate code and gives better performance than any 
known non-degenerate code. Note that the non-random 
(cat) code is a CSS-code. Since we have given a mod- 
ified version of the random hashing code that is a CSS 
code, the concatenated code can, therefore, also be mod- 
ified into a CSS code. While the actual improvement — 
12.7 percents vs 12.6 percents — is quite small, the re- 
sult is conceptually interesting because it shows that a 
degenerate code can be employed in the underlying en- 
tanglement purification protocol in i) establishing a se- 
cure error-correction/privacy amplification protocol for 
the six-state QKD scheme and ii) tolerating a higher er- 
ror rate than any known non-degenerate codes. 

IV. PROTOCOL FOR SECURE SIX-STATE QKD 
SCHEME 

Following our discussion in the last section, we now 
give the details of our procotol for secure six-state QKD 
scheme. We claim the following modified QKD scheme 
is secure. For conciseness, we omit the steps that are 
identical to Protocol 1 . We replace some of the steps of 
Protocol 1 by the following. 

Protocol 1': QKD based on entanglement pu- 
rification 



(0') Alice and Bob decide on a large positive integer 
n and a maximal number emax of check bit errors that 
they tolerate in the protocol. 

(2') Alice selects a random 2n-trit t, and performs /, 
T or on the second half of each EPR pair if (the 
component of) t is 0, 1 or 2 respectively. 

(6') Alice announces the trit string t and which n EPR 
pairs to be check bits. 

(7') Bob performs /, T^^ or T^^ on the qubits depend- 
ing on the value of (the component of) t. 

(9') Alice and Bob apply Subrountine A (the modified 
random hashing procedure with CSS codes discussed in 
the last section) to correct the (correlated) bit-flip and 
phase errors. They broadcast their results. Bob trans- 
forms his state accordingly to obtain m nearly perfect 
EPR pairs (which are shared with Alice). 

The proof of security is analogus to Shor-Preskill's 
proof. 

A. Reduction to six-state protocol 

Furthermore, the various reduction arguments of Shor- 
Preskill directly carry over and reduce Protocol 1' to a 
six-state protocol. From the security of Protocol 1', we 
have proven the security of the six-state protocol. 

More specifically, the quantum key distribution Proto- 
col 1', which is based on a one-way entanglement purifi- 
cation protocol, is mathematically equivalent to a proto- 
col based on a class of CSS code. Furthermore, by the 
virtue of CSS codes, the phase error-correcting procedure 
is essentially decoupled from the bit-flip error-correcting 
procedure. Since the phase errors do not affect the value 
of the final key, the phase error correction procedure can 
be simply dropped. Put in another way, Alice could have 
done the procedure with any CSS code in the same fam- 
ily (they are all related by phase errors to one another). 
Mathematically, the mixture of the CSS codes in the 
family is equivalent to a classical code (with the corre- 
sponding error correction and privacy amplification pro- 
cedure). Therefore, the protocol can be reduced to the a 
simple "prepare and measure" protocol, namely the six- 
state scheme. The maximal tolerable bit error rate of the 
six-state scheme with our error-correction/privacy ampli- 
fication procedure is 12.6 percents for modified random 
hashing with CSS codes (and 12.7 percents if we employ 
a modified DSS code described in the last Section). 

Inamori jl^ has recently proposed a proof based on 
a different approach which gives a higher tolerable error 
rate of about 13%. However, unlike the present proof, In- 
amori's proof requires two-way communications between 
Alice and Bob. 

In conclusion, we have proven the security of the six- 
state quantum key distribution up to a bit error rate of 
12.7 percents. 



6 



V. CONCLUDING REMARKS 

We shall conclude with a few remarks. 

A. Efficient six-state scheme and proof of its 
unconditional security 

In the six-state scheme, Alice and Bob independently 
and randomly choose between three bases. Therefore, 
two-thirds of the times they disagree and have to throw 
away their polarization data. We remark that they can 
improve the efficiency of scheme substantially by choos- 
ing the three bases with different probabilities, say e, e 
and 1 — 2e. This ensures that the efficiency is greater 
than (1 — 2e)^. As e ^ 0, the efficiency asymptotically 
goes to 100%. 

Whereas in the standard six-state scheme the compu- 
tation of only a single error rate is required for its proof 
of security, for this efficient scheme to be secure, it is 
now necessary to use a refined data analysis |Q. One 
should divide up the data according to the various bases 
in which they are transmitted and received and compute 
the error rate for each basis separately and demand that 
all the error rates are small. 

Note that the scheme is insecure when e is exactly zero. 
The constraint on e has been discussed. Basically, it is 
necessary that Ne^ > m where N is the total number 
of photons transmitted from Alice to Bob and m is the 
minimal number of photons needed for an accurate es- 
timation of the error rate of the data. The numerical 
value of m must scale at least as log TV. But, it is a priori 
unnecessary for it to scale linearly with N. We remark 
that the unconditional security of the efficient four-state 
scheme has been proven in It is straightforward to 
apply the techniques developed there to prove the un- 
conditional security of the efficient six-state scheme up 
to the same error rate of 12.7 percents. 

B. Security of other QKD schemes 

The security of some other QKD schemes remains to be 
explored. In particular, it would be interesting to study 
the security of the B92 scheme with noises. It is not 
entirely obvious to us how the Shor-Preskill's techniques 
can be apphed to B92. 

C. Real life issues 

Our result only applies to an idealized situation. In a 
real experiment, the source of EPR pairs are imperfect; 
the channel is lossy and the detector efficiency is far from 
perfect. It would be interesting to explore the security of 
the six-state in a real world situation. For BB84, some 



works along those lines have been done by researchers 
including Liitkenhaus p5| , p^ . 

In a recent preprint, Inamori, Liitkenhaus and Mayers 
have proposed a proof of security of a weak coher- 
ent state implementation of the BB84 scheme. A key 
assumption is that, given any quantum signal, indepen- 
dent of the basis of measurement chosen by Bob, Bob's 
detection efficiency stays the same. (One can imagine 
that Bob chooses his measurement basis by pushing a 
button. Then, independent of which button his pushes, 
it is assumed that the measurement will with the same 
probability be successful. In other words, the signals can- 
not behave differently according to the basis chosen by 
Bob. Cf. Trojan Horse attack in the next subsection.) 
This assumption is closely related to the detectors' loop- 
hole problem in the testing of Bell's inequalities. Given 
rather imperfect detectors, testing of Bell's inequalities 
often assumes that the detected sample provides a fair 
representation of all the signals, detected or not. 

The Shor-Preskill's proof is a fine theoretical result. 
However, if one would like to apply the result, one needs 
to make sure that the amount of computing power re- 
quired is reasonable. It is not entirely clear to us that 
this is the case. Some discussion has been made in p^ . 

D. Trojan Horse problem 

In proofs of security of QKD schemes, it is often as- 
sumed that the signals transmitted from Alice to Bob 
lives in a two-dimensional space. How can one be sure 
that there is no hidden Trojan Horse in the signal? For 
instance, the signal may, in principle, be made up of two 
parts, one is the usual quantum signal, the other is a 
robot that will explore Alice or Bob's system and tell the 
first part of the signal to behave differently according 
to, for example, the basis of measurement actually em- 
ployed by Bob. Notice that the Trojan Horse can break 
the quantum crypto-system without directly leaking out 
information from Bob's laboratory to Eve! 

One might naively think that QKD provides more 
room for the Trojan Horse attack. Fortunately, it has 
been pointed out (Note 21 of |^) that this Trojan Horse 
problem in quantum cryptography is no worse than in 
classical cryptography: By using teleportation, any quan- 
tum signal can be reduced to classical one. Therefore, Al- 
ice and Bob only need to receive classical signals anyway. 
This teleportation trick requires only the experimental 
implementation of teleportation, rather than a full-blown 
quantum computer. 
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E. Bell's inequality with untrusted imperfect 
apparatus 

Another question is whether Ahce and Bob can buy 
their quantum cryptographic devices from untrusted ven- 
dors and verify their security by doing some simple test- 
ing themselves. By assuming that Alice and Bob's labo- 
ratory can be sufficiently shielded from the environment, 
a procedure to prove security based only on input/output 
probabilities (that corresponds to a choice of several local 
measurements by Alice and Bob and the corresponding 
measurement outcomes) has been provided for the case of 
perfect EPR pairs ||2^. It would, thus, be interesting to 
generalize the result to the case of imperfect EPR sources 
and measuring apparatus. (See also Subsection |V C| .) 
This line of research can also be re-phrased as a general- 
ization of Bell's inequality to the case of a limited amount 
of entanglement. The question there becomes: given a 
fixed amount of entanglement, how far can Bell's inequal- 
ity be violated? Conversely, given some experimental vi- 
olations of Bell's inequality on some random sample, can 
one deduce the minimal amount of entanglement shared 
by Alice and Bob? Interesting questions include what 
type of privacy amplication/error correction procedures 
can be employed to prove unconditional security in this 
untrusted situation. 

In summary, there is no doubt in our mind that QKD 
provides a fertile real-life playground for the various con- 
cepts in quantum information theory. Moreover, these 
interactions between theory and practice will most likely 
inspire new research avenues on both sides. 

Notes Added: Recently, Gottesman and Lo |28) have 
proven the security of the six-state scheme up to a bit 
error rate of about 23 percents. However, their method 
employs two-way classical communications between Al- 
ice and Bob. They also show that, by allowing two-way 
classical communications, BB84 scheme can be made un- 
conditionally secure up to an error rate of 17 percents. 
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